如何从 Graph Explorer 查询另一个 Azure Active Directory 租户

Question

I am using Azure Graph API Explorer. I want to query the apps list in a tenant. I am user in tenant_x (where user was originally created) as well as admin in tenant_y (created later with my user). I understand that when I log in I go directly in the origin tenant (so tenant_x) therefore Graph Explorer does not allow me to query tenant_y. So as admin of tenant_y I have added a new user in tenant_y. I log in now with that user but still I am not able to query the applications that are in tenant_y. So how can I query apps in tenant_y? Is there a way? thanks.

The API I am calling (with new user log-in) to first retrieve all applications:

https://graph.microsoft.com/beta/applications

Response is:

{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}

Of course I have apps in that tenant.

Answer 1

Based on our communication, you have used a personal account as guest of tenant_y to query the apps list in tenant_y.

Unfortunately, Microsoft Graph Explorer will not recognize your personal account as a guest user. It will still treat it as a personal account.

So it will query the apps list for the personal account rather than tenant_y.

So now you have two choices:

• Create a new user in tenant_y by following add a new user and then use this new user to log into Microsoft Graph Explorer to query the apps list.
• Implement Get access on behalf of a user and make sure that you call {your tenant} endpoint rather than common endpoint while requesting the access token. And you should use another tool (for example Postman ) instead of Microsoft Graph Explorer.

---

Update:

You can modify the permissions in Microsoft Graph Explorer like this：

Click on the "modify permissions" under your username in Microsoft Graph Explorer and check the Directory.Read.All permission.

Answer 2

Today that's possible if you pass the tenant query string parameter like this:

https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com

Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).

If you get a 401 while running the specific query, make sure you grant the required permissions on "Modify permissions" tab and click the Consent button in each required permission. After that your query should return a 200 success result.

Answer 3

Graph Explorer today does not support signing in to the tenanted endpoint. A tenanted endpoint is used in the following format

https://login.microsoftonline.com/ {tenantId}/V2.0

Once your user account from tenant_x is made a guest user in tenant_y, to effectively query tenant_y using your guest user account, an app (like Graph explorer) has to sign you in the other tenant. Instead Graph Explorer uses the /Common endpoint, which will always sign you in your home tenant (tenant_x).

The only available workaround is to develop a application quickly and sign-in to a tenant of your choice and run Apis in it.

Graph explorer is a tool to help developer's discover and learn about the Graph Api and thus might shy away from introducing too much complexity. But it does not hurt to ask for this feature at their Github repo .